1 |
On Thu, Jan 25, 2018 at 01:35:17PM +0100, Michał Górny wrote: |
2 |
> Title: Portage rsync tree verification |
3 |
> Author: Michał Górny <mgorny@g.o> |
4 |
> Posted: 2018-01-xx |
5 |
> Revision: 1 |
6 |
> News-Item-Format: 2.0 |
7 |
> Display-If-Installed: <sys-apps/portage-2.3.21 |
8 |
Drop Display-If-Installed, they need to always see this until they know |
9 |
it was bootstrapped. |
10 |
|
11 |
> Starting with sys-apps/portage-2.3.22, Portage enables cryptographic |
12 |
> verification of the Gentoo rsync repository distributed over rsync |
13 |
> by default. |
14 |
Seems very wordy, suggested cleanup: |
15 |
|| Starting with sys-apps/portage-2.3.22, Portage will verify the Gentoo |
16 |
|| repository after rsync by default. |
17 |
|
18 |
> This aims to prevent malicious third parties from altering |
19 |
> the contents of the ebuild repository received by our users. |
20 |
> |
21 |
> This does not affect users syncing using git and other methods. |
22 |
> Appropriate verification mechanisms for them will be provided |
23 |
> in the future. |
24 |
Note that emerge-webrsync has verification via FEATURES=webrsync-gpg? |
25 |
|
26 |
Rewrite: |
27 |
|| The new verification is intended for users who syncing via rsync. |
28 |
|| Users who sync by emerge-webrsync should see [linkref]. |
29 |
|| Verification mechanisms for other methods of sync will be provided in |
30 |
|| future. |
31 |
|
32 |
|
33 |
> On Gentoo installations created using installation media that included |
34 |
> portage-2.3.22, the keys will already be covered by the installation |
35 |
> media signatures. On existing installations, you need to manually |
36 |
> compare the primary key fingerprint (reported by gemato on every sync) |
37 |
> against the official Gentoo keys [1]. An example gemato output is: |
38 |
> INFO:root:Valid OpenPGP signature found: |
39 |
> INFO:root:- primary key: 1234567890ABCDEF1234567890ABCDEF12345678 |
40 |
> INFO:root:- subkey: FEDCBA0987654321FEDCBA0987654321FEDCBA09 |
41 |
Either we should use real key here, or specifically note this is a fake |
42 |
key output on purpose. |
43 |
|
44 |
-- |
45 |
Robin Hugh Johnson |
46 |
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer |
47 |
E-Mail : robbat2@g.o |
48 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |
49 |
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 |